Bridge filtering with IP filter on FreeBSD

A few years ago, one of my former college teachers prepared to use a large gift device from Microsoft to form a laboratory. It is hoped that this laboratory will be built into a place where students and employees can use it, giving them the higher authority of the system administrator of the faculty system. The teaching of Internet programming (WEB, distributed operating systems, etc.) is also planned here. One of the teachers ' wishes is to isolate the lab from the firewall so that students can visit sites around the world. It is clear that he does not understand Internet security.

During that time, the lab became a student (most of them had left school and some went to the Redmond) playground, playing virtual arenas (Unreal Tournament), playing noisy music. The college is very dissatisfied with this and wants to be able to regain control of it. So they told me to take over here. After all, I'm a loyal supporter of Unix/linux, so I have to know what I'm going to talk about. I took the task, only to see a mess. Some machines are used to make warez, or to be infected by viruses or other messy things. There is also a machine that has been granted root permission many years ago. (Ironically, it was a Linux machine, not Microsoft, and the machine never took any safety measures, and the lab keeper's brother put a rootkit on it.) When we found it, we replaced it with FreeBSD, and the root code was kept by us, and the machine was never invaded again. ）

The lab now has 10 Windows XP machines and a FreeBSD machine, and is completely open to the Internet. There are no backups (one tape drive, but usually the same tape), no unified login password, no shared home directory between UNIX and Windows, no security. My job is to make it safe and to turn this lab into a place where graduate students work for their projects, installing some Linux,mac OS x and FreeBSD in these machines.

The first thing I thought about was installing some kind of firewall to keep the lab away from the potential threats from outside, without too much restriction on the users in the lab. A few weeks ago, I installed my first ipfilter firewall and set up NAT and other things, which took only a few hours. Although I know very well that the UNIX community in the Netherlands is a fanatical supporter of Linux, I think FreeBSD plus ipfilter (or OpenBSD plus packetfileter) is easier to configure than a Linux firewall. The rules of the Linux firewall are much more complex and fuzzy than the rules of the IPFilter, so FreeBSD plus IPFilter is my first choice.

Perhaps as you know, IPFilter supports firewalls and NAT, so my first option is to use an external IP address, give all machines a private network segment IP address (such as 10.0.0.x), Nat and filter everything, and I finished the work within one hours. Unfortunately, the college administrator didn't want to do that. Their rationale is that if someone invades a machine in our lab from the Internet, we will be NAT to the lab, which will make it more difficult to find the attacked machine. Therefore, all machines must retain their assigned IP address.

But how do you set it like that? Obviously, you can use the normal NAT. So how do you assign IP addresses and network flags (NETMASK) to your firewall? The solution is the Network Bridge. The Network bridge links two segments together and makes them look like a network. So basically, you can copy packets from one network segment to another. So why not put a filter between them and build a network bridge with a filtering function? A network bridge with filtering capabilities makes it possible to filter packets without changing the network settings and to avoid resurfacing the lines. The Network Bridge with filtering function is also considered as a transparent filter.

FreeBSD provides good support for building a network bridge with filtering capabilities through IPFW, and there are already a number of good guides on this. But I was fascinated by ipfilter. The FreeBSD 4-stable Branch does not formally support a network bridge with filtering on the IPFilter (but it is a standard setting in 5-current). But there are patches on the 4-stable, and I think it's better than the stable distributions I've seen.

I installed FreeBSD 4.6 (including kernel code) on an old PC, downloaded patches, applied them, and compiled a new kernel. I added the following options to the kernel configuration:

Options Bridge

Options IPFilter

I removed most of the other options. After rebuilding a new kernel, I restarted the machine. Before I started, I entered the following Sysctl command (and, of course, I put them in the/etc/sysctl.conf):

Sysctl net.link.ether.bridge_cfg=xl0:0,xl1:0

Sysctl net.link.ether.bridge_ipf=1

Sysctl net.link.ether.bridge=1

Now I have a bridge with IPFilter filtering (set between Xl0 and XL1), but it has not been configured for any filtering.

The next thing is to set the filtering rules. The first step is to activate the IPFilter in/etc/rc.conf:

Ipfilter_enable= "YES"

I put the ipfilter rule on the/etc/ipf.rules, so I just need to make this little change.

I use xl0 as an external interface to connect XL1 as an internal interface. My rule is simple: Disable all external access to the workstation, allow internal access to part of the external service (Ssh,http,ms Terminal Server connections), but do not restrict internal users of the lab.

Pass in quick on xl0 Proto TCP from the to 131.211.83.40 port = flags S Keep state

Pass in quick on xl0 Proto TCP from the to 131.211.83.40 port =% flags S Keep state

Pass in quick on XL1 Proto TCP from the any keep state

Pass in quick on XL1 Proto UDP, from, any, keep state

Pass in quick on XL1 proto ICMP from the any to no keep state

Xl0 from the To 131.211.83.40

[More hosts go to here]

All communications from the intranet are allowed to pass (keep the original state unchanged). Except for a few connections (SSH and HTTP), other communications from outside are banned. I only allow packets that have a SYN tag or a part of the allowed reply to pass through.

Almost every mechanism works well except that I forget to put FTP in the back row. FTP is a very dangerous protocol. FTP (at least the variable is called "active") always attempts to establish a connection from the server to the client on port 20 (ftp-data). In the above rules, it is impossible to open ftp. We must add the following rules:

Pass in quick on xl0 Proto TCP from the to 131.211.83.40 port = The flags S Keep state

In a "normal" NAT setting, you can create an agent for FTP. However, because this is not a NAT setting, it is not possible to use proxies. Now, except Winamp, everything works very well.

Issues to be considered

Before you start using IPFilter's Network Bridge with filtering, you must consider the following questions:

The 4-stable patch is identified by the author as "Risk-ego" (Use at Your Own Risk). I used it successfully on FreeBSD 4.6, but it may not work on the new version.

NAT cannot be performed. Keep in mind that this bridge does not have its own IP anyway, so it cannot do NAT. This also means that you cannot use port mappings (redirection of Ports) and proxies (such as FTP proxies).

The "out" keyword I used did not work.

The Return-rst option (which rejects a connection, rather than making it timeout) does not work, as does Return-icmp-as-dest (these two options are described in IPFilter HOWTO section 3.6)

Conclusion

I found a network bridge with filtering function on FreeBSD and IPFilter. Both the operating system and the filtering system are proven to be very stable and versatile, and a network bridge with filtering is a useful way to increase security or temporarily plug security vulnerabilities.